One of the main challenges with antivirus software (AV) running on the Microsoft Windows NT family of systems (i.e., Windows 2000, XP, Vista, 7, 8, 8.1, and their server counterparts) is the need to access the operating system (OS)'s services (such as the OS's kernel mode functions and structures) when combating threats. Because many advanced threats (e.g., rootkits) compromise, or otherwise tamper with, these services, the AV is oftentimes ineffective in detecting and/or eliminating such threats.
One solution to this problem involves taking the computer offline (by shutting down the OS) and scanning the computer's hard disk drives (HDDs) from a trusted environment. Various AV products have been designed to implement this, including AVG Rescue CD, Avira AntiVir Rescue System, and Kaspersky Rescue Disk. Each of these implementations, however, requires substantive user knowledge and involvement in the cleaning process—to configure the trusted environment, the user not only has to create a bootable compact disk (CD) from a downloaded ISO image or a bootable universal serial bus (USB) disk from a downloaded installer, but must also be savvy enough to modify the computer's boot sequence via the computer's basic input/output system (BIOS) interface. The latter can be quite challenging for typical users, given that different computer manufacturers implement their BIOS interfaces differently, and thus there is no simple procedure that users of varying computers can execute. Indeed, a conventional process for conducting offline scanning and/or cleaning of an infected computer can include the following:
1. An advanced threat (e.g., a resistant malware) that cannot be removed during run-time is identified.
2. The user downloads an ISO image or an installer including a boot loader (i.e., Syslinux), and creates a bootable CD or USB storage device.
3. The user shuts down the Windows OS.
4. The computer restarts and its central processing unit (CPU) is switched from protected mode to real mode.
5. The computer runs a Power On Self-Test (POST).
6. The user enters BIOS and modifies the order of the boot sequence such that either the computer's CD-ROM or USB drive has boot priority over HDD(s).
7. The boot loader (i.e., Syslinux) is loaded from the CD/USB device and executed.
8. The boot loader loads a Linux™ kernel (i.e., vmlinuz) and the initial RAM disk (i.e., initrd.lzm).
9. The CPU is switched from real mode to protected mode and execution is passed to the Linux kernel.
10. The Linux kernel initializes, the root file system is mounted, and the user interface (UI) is displayed.
11. The user instructs the computer to perform the offline scan (and cleaning tasks), and reboots the computer upon completion.
12. The computer restarts and runs POST.
13. The user reenters the BIOS and reverts the boot sequence to prior settings such that the HDD(s) have boot priority over CD-ROM/USB drives (which avoids later unintended booting, for example, from a forgotten CD or USB device in the corresponding drives).
14. The Windows OS restarts.
Given the undue demand for user involvement in the above-described and other similar conventional processes, there is a need for an improved method of preparing a computer for offline scanning and removal of advanced threats that is simple and user-friendly.